Contents

Types of ServiceNow integrations provided

SAVE AS PDF

Types of ServiceNow integrations
provided

The Security Operations
applications (Security Incident Response,
Threat Intelligence, and Vulnerability Response) can be seamlessly
integrated with other ServiceNow
applications to enhance their functionality.

The following integrations are provided in the Security Operations base system.

Security Incident Response – Event Management integration

The capabilities of the Event Management
application have been expanded to support Security Incident Response. The Security Incident ResponseEvent Management support plugin
automatically parses the contents of events in Event Management to populate fields in
security incidents.

Use case covered:

Creation of security events in the Event Management system from Security
Information and Event Management
(SIEM) tools

Security Incident Response - Import Set API integration

In addition to
using Event Management to push
security-related events, the Security Incident Response application
provides an Import Set API that allows direct creation of security incidents. The REST
endpoint for the Security Incident Import Set is
http://localhost:8080/api/now/import/sn_si_incident_import.

This integration
technique is useful when a) Event Management is not installed, or b)
it is desired to simply create Security Incidents without going through the event > alert
> Security Incident flow that is required when using Event Management.

Use case
covered:

Creation of security incidents directly from SIEM tools

Useful capabilities provided:

Automatic CI matching on Security Incident creation based on IP, NetBIOS, or fully
qualified domain name

Automatic creation of Indicators of Compromise (IoC) observable entries for any issues
found by lookup sources

Threat Intelligence - threat source integration

Threat Sources provide the ability to pull in data from external threat intelligence
repositories. This data is then imported into the various Indicators of Compromise tables
that exist within the system. TAXII collections and simple blocklists are supported
natively. To add new TAXII collections (or profiles based on a discovery or collection
management service), it is as simple as adding an entry. Similarly, adding a new simple,
single column blocklist is a matter of entering a new record and providing the URL of the
blocklist. For more complicated sets of data, a custom integration can be provided to make a
call to a URL and parse the response.

Use case covered:

Retrieve data from a threat intelligence source to load into IoC tables

Vulnerability Response - scanner invocation integration

Vulnerability Scanner Invocation is a lightweight integration entry point that supports
invoking vulnerability scans from the instance. A third-party vulnerability scanner is called
asynchronously to schedule a scan for configuration items or IP addresses.

Use case covered:

Make request to third-party scanner to scan a CI (using host information derived from CI) or
IP address/IP addresses

Useful capabilities provided:

Simple framework for defining scanner implementations

Consistent way to request scans from catalog items, security incidents, and vulnerable
items

Vulnerability Response - data integration

Vulnerability data integrations are intended to retrieve vulnerability data from third-party
vulnerability systems. The expected outputs from these integrations are vulnerability entries
and vulnerable items. This integration allows third-party vulnerability scanners to function
independently, with the expectation that vulnerabilities can be worked and tracked within the
instance.